MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3
SHA3-384 hash: 189ed9bf42f5e23a44a6b99abc4ca8abb2ba81e73e6706851e5c9feb5b6802730fe8972690925855e2a932897c022e9a
SHA1 hash: 00a147feff2db2f5383cde5d7b7d9ab7147d4048
MD5 hash: 766a5dc6e9d502153f046316ed90ae35
humanhash: sad-eight-queen-utah
File name:Purchase 0rder 19940.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:436'224 bytes
First seen:2020-06-29 05:45:44 UTC
Last seen:2020-06-29 06:45:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Pb3vMF6rfO3xpqkoqkmDDRoB9rVoylgGN2Svu:TprcToqkERoLuG0Sv
Threatray 5'100 similar samples on MalwareBazaar
TLSH 29944B17BD85E529C044597380EF1E81A376A9D13333D74FBF8AAB680E4025A7E6731E
Reporter abuse_ch
Tags:exe FormBook


Avatar
abuse_ch
Malspam distributing Formbook:

HELO: vps.thonivii.com
Sending IP: 45.95.169.6
From: sales.annhung@yandex.com
Subject: Re: Re: Attached new order
Attachment: Purchase 0rder 19940.rar (contains "Purchase 0rder 19940.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15313/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34087564.2492.7919.UNOFFICIAL
Create hunting rule

Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 00:48:00 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h2n3flbizy7n3u6xrvd4pl2rztauhpp6bh5kgj2syz72cjxnvpbq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
73b08755001aa841367c969576a59bde8749a39267ffd48f28b5738d531fd16d
Formbook
7b1f38ea00893691f1f2026c920e6755595e38c79fb43db6136ab8dee695455f
Formbook
7e1cc3c2c72032a35e00a39574018d4dc7b5c8b4a2b52e865be86cea4fb03436
Formbook
836e10c649bce22fed99ea498ea2f36c8d7e832be5be20de60a4f0a13db71ed9
Formbook
8ffe1634ec406dc2f1db74d9dd90ddf64b3abf2e42d491406b758d177747213a
Formbook
927ea99a59336bb821aa9062c686d43e3022224f56c6f34338218ddc6e165cfb
Formbook
bebdb4d1e77c1b459833876c8599ce54d46bcba89e3c8d13c1add73723648fb9
Formbook
c629f38c249f5f8a7da9911fae23c88120e4a750e3dfc52578396094a7ec7dcd
Formbook
f646b35153e14b1c060f94dfa4e3467165946dd9720b8ed63c2e8b144f132f22
Formbook
fc6b805a646f42a086dc2006a3a1ebe276b45d4583aae6ecb8745330a5139733
Formbook
+ 5'090 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
persistence spyware evasion trojan stealer family:formbook
Link:
https://tria.ge/reports/200629-qskhzpjrdj/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run entry to start application
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Formbook in memory
Reference:internal research
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar bfc7d58d1d510b55fef9ead76d90040b0d0873cace4219b0ff4dd9ee44dd3205

Formbook

Executable exe 3e9bb2ac28ce3eddd3d78d47c7af51ccc143bdfe09faa32752c67fa126edabc3

(this sample)

  
Dropped by
MD5 76f3c291711a8016899d851f90fbff61
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/15313/
  
Dropped by
SHA256 bfc7d58d1d510b55fef9ead76d90040b0d0873cace4219b0ff4dd9ee44dd3205

Comments